HOUND
v0.1 — private beta
Problem Who Trace Access
00 / INTRO
01/04
HOUND / 2026 SEC.02 / RUNTIME DEFENSE STATUS / BETA SF / NY

HOUND.

Security for builders. AI coding agents run with your full permissions. Hound watches what they actually do.

Scroll
01THE PROBLEM

AI Agents run with your Full Permissions.

¶ 01 When you invoke Claude Code or Cursor, it runs as you. Every file you can read, it can read. Every server you can reach, it can reach.

¶ 02 Most of the time, nothing goes wrong. But AI agents now install packages, run scripts, and execute code you've never reviewed. The attack surface is real.

¶ 03 Hound watches every process the agent spawns. The moment something exceeds its scope — a credential read, an unknown connection, a persistence attempt — Hound catches it and shows you exactly what happened.

¶ 04 Blocking rolls out one rule at a time — each proven safe before it can ever stop a process.

EXAMPLE  ·  ~/projects/acme-api  ·  hound --watch claude-code session · 8f21…a04c
10:24:01agent → read package.jsonALLOWED · in scope
10:24:02agent → spawn npm installALLOWED
10:24:07postinstall → node ./scripts/patch.jsOBSERVED
10:24:07patch.js → read ~/.aws/credentialsFLAGGED · credential access
10:24:07patch.js → connect 45.33.108.19:443FLAGGED · unknown destination
10:24:08hound → flagged · full trace recorded TRACED
02WHO IT'S FOR

Built for people
who build things.

If you've ever left an agent running overnight, shipped a PR at 2am, or typed yes to a prompt you half-read — this is for you. Hound is the quiet system in the background that makes that okay.

A · 01Indie hackers & solo founders
A · 02Staff engineers shipping with agents
A · 03Red teamers & security researchers
A · 04Teams adopting Claude Code & Codex
A · 05Open source maintainers
03THE TRACE

Every session explained.

TRACE

A Trace is the full story of what an agent did while it had your keys — every file touched, every process spawned, every byte it tried to send.

Not a log dump. A narrative. Readable by the person who wrote the prompt, not just the person who wrote the kernel module.

Share it with a teammate, attach it to a PR, or feed it back to the model. The Trace is the receipt. And it stays yours — local-first, nothing leaves your machine.

EXAMPLE — SESSION · 8f21a04c · ~/acme-api 1 VIOLATION FLAGGED
10:24:01 agent opened package.json · 2.1 KB READ
10:24:02 spawn npm install (pid 48201) EXEC
10:24:04 downloaded 214 packages · 18.4 MB NET · NPM
10:24:07 postinstall hook · ui-helpers → node ./scripts/patch.js EXEC
10:24:07 patch.js attempted to read ~/.aws/credentials FLAGGED
10:24:07 patch.js opened socket to 45.33.108.19:443 — not in allowlist FLAGGED
10:24:08 hound flagged process tree · summary recorded FLAGGED
10:24:09 trace written · hound://8f21a04c SAVED
Processes
1,284
Files touched
312
Egress
18.4 MB
Violations
01
04 — EARLY ACCESS

Request access.

You're on the list. We'll be in touch.

No spam. No marketing.

Built for macOS on Apple Silicon. More platforms to come.